Sessions vs. Cookies, once and for all

twilson

This has been bothering me forever, and I must know.

As far as I've read, sessions are mainly used to track and store a specific user's information on the server for a specified period of time. They are not to replace database information, but are used as long-term variables. My question is, if this is the case, for a site that does not need to store any information about a user other than what it already has in it's database, are cookies just as good for authentication and verification as sessions are?

Thanks in advance to anyone who can help answer this.

Tom 🙂

planetsim

You cant really compare sessions and cookies. Cos they kinda are really different.. The main difference is sessions store there cookies on the server while cookies are on the users computer

Now this forum uses sessions and cookies.

So if we are to compare them we need certain circumstances.

1)
Say we have an Admin Panel For a site. Which would be the best way to store users info..

Well you could say cookies.. But then its not safe if someone else uses the computer. They'd be able to get in..

So sessions in this case is what should be used..

2)A Forum
Well i say both should be used.
The Forum could be something of importance and not want others to know what they do there.. So a session is good.

Now i said both.. Cookies would be good if the user wants to not have to remember passwords etc..

3)Member site
Now Cookies would be good in one way.. and not good in another. If its a paysite.. Then sessions else we can use either cookies and sessions..

I hope that kinda clarifies what each are good at.. It really comes down to what circumstance either is needed for.

driverdave

A cookie variable is stored on the clients computer.
Cookie variables cannot be trusted, since the client has direct access to them.

A session variable is stored on the server.
Session variables can be trusted, since the client has no direct access to them.

planetsim

Actually cookies can be trusted.. People maybe able to delete change there data..But someone will need to know what they are doing..

Another thing is there is an index file.. Which saves the data.. Unless they break that.. Then cookies can still be trusted

karlitosphere

i'd say cookies are very useful and very safe when handled well.. i mean, one way of making a cookie safe is to "encrypt" it in a way that only you and other programmers would understand it..

anywayz, i'd go for sessions whenever possible rather than dumping cookies and having to keep track of the variables associated with them..

one big thing about sessions is that the variables registered to the session exist in the server-side so this may prove to be a problem for bz servers with limited resources.. i dont have the hard facts to prove this though.. YET..

pinkbike

I remember being confuesd on this topic for a while when I was trying to figure it out, but it all becomes clear once one understands sessions. (It's even better once you look at things in term of GET and POST requests by the browser but that may be overkill here)

Cookies
- a variable name and value pair that is stored on a client computer/browser. This pair can be set by a server page, and also automatically is sent to any other server pages. The server page can "see" if what that variable/pair is and take action accordingly.

Session
- in MOST cases it requires a cookie
- any data is associated on the server with in essense a variable/value pair. The variable is lets say PHPSESSION and the value some 32 character random string.

- so if your server sets this cookie on a users computer any other pages accessed on your site are provided with this cookie data.
- now a session is simply the mechanism of associating some other data on the server with the value of this cookie. You can store a name, email or ANY stuff associated with this value. It's really easy to make your own sessions by just having a database with a cookie value as a key and then then some text/information as the data associated with that key.
- so simply when a server page is hit, it looks at the users "cookie"/session key value , looks it up in a table, and extracts any data that is associated with it.

the session support in PHP just happens to automate things for you. THis "data" that I mentioned is a serialized representation of variables, arrays, objects that are assigned to the $SESSION. If you set any variable/value pairs in the $SESSION array in your page, after your page is finished processing this $_SESSION array is serialized (serialized is just a text representation of the element names and values in the array) and stored in a place keyed by the "cookie" variable value. The cookie name in this case is PHPSESSION (by default).
when a new page is opened and you execute session_start() , this simple looks at the cookie value for the the PHPSESSION variable that you passed, then looks up the data assosicated, unserializes it and makes those values available once again in the $_SESSION variable.

There is no magic to it. Sessions is just a mechanism to associate some data on the server to some key passed in by the client.

To answer your question of whether using sessions or just cookies.

By definition sessions is some date associated with a user for a shorted duration, or more particularly, a browser session. Typically the cookie that stores the PHPSESSION variable/value pair is set as a cookie for the duration of the browser window and not actually set in a file on the client PC. (or at least that is IMHO the general usage) You typically would set some other cookie, like just the username. Your "auth" function would first look for a valid php session and if not present it would look for this permenant user identification and then start a new session with more of that users data for the duration of his visit. (REMEMBER - this permenant/long term cookie should be something encrypted, or can also have some server association to determine the user. This is because a user can change his cookie to some other username value and this is bad.)

driverdave

Actually cookies can be trusted

Client side data can NEVER be trusted. Period.

I can change my cookies to say whatever I want them to say. I can send whatever headers I'd like (user agent, referrer, etc...). You can do your best to obfuscate your client side data, but the fact remains that the client is in control of client side data.

With session data, the server is in complete control of the data.

I'm not saying that client side data can't be usefull, I use it all the time. But it can't be trusted. The only tradeoff I concede to is session ids stored client side.

twilson

Thank you all for your replies.

I am currently using an authentication program written by the owner of phpBuilder (I believe) which uses two cookies (user_name and hash_id) to keep you authenticated. From what I can tell it is pretty secure, and I have the cookies cleared when the browser closes or they logout.

Thanks again,
Tom 🙂

planetsim

Cookies have there purpose and Sessions have theres.. Both have there flaws